1. Field of the Invention
The present invention relates to an apparatus and method for providing a security function for frames transmitted between optical network terminals (OLTs) and optical network units (ONUs) in an Ethernet passive optical network (EPON) providing media access control (MAC) services. More specifically, the present invention relates to an apparatus and method for operating security policies in relation to each frame in an EPON, checking secrecy of the frames, authentication, integrity, counterattacking encryption attacks, and ranging frames passing through a MAC security apparatus.
2. Description of the Related Art
In a network layer, in order to provide a security function and an authentication function of frames to be transmitted, an IP security (IPSec) function or application-level security (Password) function is used.
However, along with recent developments in the scalability of local area networks (LAN), expansion to broadband networks, and high-speed L2 switching technology, security functions and authentication functions of frames are being demanded in communication services using only a data link layer.
In response to this demand, the IEEE 802 formed an IEEE 802.1AE working group, and is preparing methods for providing a MAC security function required in the data link layer, and standardizing the structure of a MAC security apparatus (MAC security entity). So far, Draft 2.0 of the MAC security entity has been released.
In the IEEE 802.3ah Ethernet in the first mile (EFM) standard, in order to provide a security function and authentication function in an EPON, a method and a structure being standardized in the IEEE 802.1AE working group are used.
Since it has a media-sharing point-to-point structure, an EPON is not secure and therefore a security function is needed. In the topology of an EPON, another ONU can eavesdrop on downward traffic while unauthenticated resource access by an ONU or the danger of disguise by another ONU can occur in upward traffic.
Accordingly, since secrecy of information should be provided to subscribers and protection of contents and billing capability in relation to subscribers' access should be provided to service providers, an EPON that is a subscriber network aims to provide integrity of subscriber traffic, and to block access by unauthenticated apparatuses and subscribers.
Therefore, in order to provide a frame security function and frame authentication function in an EPON ONU, a MAC security apparatus structure using the Galois/Counter Mode—advanced encryption standard (GCM-AES) algorithm is needed and this structure should be implemented so that it can be compatible with a conventional EPON structure. Also, a protection function against a variety of encryption attacks should be provided.